Protection against various threats
SES Evolution provides rules that help you to detect the main threats and protect yourself from them. In this section, we briefly explain the characteristics of each type of threat. Refer to Configuring threat protection for information on how to implement protection against the various threats.
Process hollowing
The process hollowing protection mechanism detects and blocks malicious executables that attempt to disguise themselves as legitimate processes on the system (e.g., explorer.exe) so that they can run without being detected by Windows. It counters attacks such as RunPE and Process Doppelgänging.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Detect only mode, and only disable it for well-identified internal applications that legitimately use the process hollowing technique. |
Stack pivoting
Stack pivoting attacks exploit buffer overflows so that they can hijack an application’s execution flow to make a legitimate application run malicious code.
The stack pivoting protection mechanism regularly monitors memory. If SES Evolution detects abnormal behavior on an agent, especially a different stack address, it will stop the process to prevent the code from being executed.
| Rule set type | Protection |
| Log level | Alert |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Detect only mode for all applications. |
Execution flow hijacking
The execution flow hijacking protection mechanism detects and neutralizes malicious shellcodes that exploit buffer overflows to use the addresses of system functions in the dynamic library kernel32.dll.
| Rule set type | Protection |
| Log level | Error |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Block and interrupt mode for all applications. |
Heap spray
Heap spraying is a technique that consists of allocating large amounts of memory to facilitate the execution of malicious code after a vulnerability is exploited. Since heap spraying can only be used on 32-bit applications, the SES Evolution protection mechanism is not enabled on 64-bit applications.
| Rule set type | Protection |
| Log level | Alert |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Block and interrupt mode for all applications. |
Access token manipulation
The operating system assigns a security token to every process; among other data, this token contains the account with which the process was run and the privileges associated with this process.
Some attack techniques manage to steal or duplicate the security tokens of high-privilege processes, thereby gaining access to resources or privileges that would not normally be granted to them.
The token protection mechanism on SES Evolution makes it possible to block such attacks by stopping the process that stole the token.
| Rule set type | Protection |
| Log level | Alert |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Block and interrupt mode for all processes. |
Application hooking
The Windows SetWindowsHookEx API allows a program to be notified when certain events occur on the system or on applications, e.g., mouse movements, keystrokes, etc. A DLL is injected into target applications for this purpose.
Even though this is a legitimate mechanism, hackers may use it to inject malicious code so that a user’s operations can be observed, e.g., the keystrokes when the user enters various passwords.
| Rule set type | Protection and Audit |
| Log level |
Protection: Error Audit: Information |
| Generate a context | Up to user (Yes by default) |
| Recommendations |
Disable default protection. |
When this rule is enabled, it controls all applications that use SetWindowsHookEx. If you do not want to completely block access to this API, do not enable this rule, but make the necessary adjustments in the Keylogging application rule.
Privilege escalation
This protection mode makes it possible to monitor applications’ attempts to escalate privileges by using the Debug privilege. When this mode is enabled, SES Evolution compares the privileges usually granted to the application with those requested. If the requested privileges are higher, SES Evolution will consider the request a privilege escalation and may block the action.
| Rule set type | Protection and Audit |
| Log level |
Protection: Error Audit: Information |
| Generate a context | Up to user (Yes by default) |
| Recommendations | Up to user |
EDR detection bypass
This protection mode protects against attacks from malicious programs that attempt to disable EDR (Endpoint Detection and Response) modules based on AMSI and ETW technologies.
| Rule set type | Protection |
| Log level |
Alert |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Detect only mode for all processes. |
Fileless attack
Fileless attacks act without writing malicious files to workstation disks. The attack occurs in memory.
This protection mode protects against processes that attempt such attacks.
| Rule set type | Protection |
| Log level |
Alert |
| Generate a context | Always |
| Recommendations | Enable this protection by default in Detect only mode for all processes. |
Rootkit detection
A rootkit is a program that modifies the behavior of the operating system so that the system does not notice this program has been executed. Its aim is to gain and keep access to a computer, usually with malicious intentions.
Rootkit detection on SES Evolution makes it possible to monitor driver loading and verify their integrity.
| Rule set type | Audit |
| Log level | Emergency |
| Generate a context | Up to user (Yes by default) |
| Recommendations | Enable these rules by default and disable them only for legitimate drivers. |
Driver loading
The driver loading protection mechanism detects drivers that the operating system loads and generates a log for each driver.
Driver integrity
The driver integrity protection mechanism regularly verifies every driver to ensure that its integrity has not been potentially compromised, i.e., whether its major function table has been modified. If changes are detected, SES Evolution will identify the driver behind the attack and generates a log. For example, if a malicious driver could modify an antivirus driver, it would prevent files from being analyzed.
However, some drivers make legitimate changes, as is the case with some virtualization tools. These drivers must be excluded from the audit rule.
Advanced protections
Stormshield also provides a set of advanced protections against some types of threats. These protections are natively built into the administration console.
Advanced protections make it possible to detect and block malicious behavior on SES Evolution agents. They are based on heuristic analyses, which can be updated without the need to update the SES Evolution software.
To view advanced protections in the console:
- Select the Security > Policies menu.
- Click on View advanced protections at the top right side of the home panel of the policies.
Refer to Configuring threat protection for information on how to implement advanced protection against the various threats.
Advanced protections have version numbers and can be updated via Stormshield when necessary. During updates, you can therefore re-import them in the Advanced protections panel. All previous versions of a protection remain available in the administration console.
Kerberos ticket protection
Prevents the retrieval of Kerberos tickets from memory, as they may be used later to launch pass-the-ticket attacks.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Protection against ARP spoofing
Prevents network traffic from being intercepted, modified or stopped through ARP spoofing attacks. The ARP table is evaluated every 5 minutes.
| Rule set type | Audit |
| Log level | Alert by default |
| Generate a context | Up to user (Yes by default) |
WMI Persistence
This protection prevents malware programs from persisting on computers through WMI (Windows Management Instrumentation).
It relies on the Microsoft-Windows-WMI-Activity/Operational event log. In Windows 7 and Server 2008, the Windows update KB3191566 is needed for this log to be present.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Protection against malicious use of certutil
This protection mode protects users from the malicious use of the Windows program certutil, which allows certificates to be managed. Using this protection may generate false positives, as the files that certutil handles need to be opened in read-only mode. If such files cannot be accessed due to insufficient privileges, the operation on the certificates will be considered malicious, even though it is legitimate.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Environment discovery
This protection prevents the use of the built-in Windows tools that collect information on the host and system with the aim of performing malicious operations.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Ransomware
This protection mode keeps track of when files are modified and encrypted. If a particular number of such events occurs in the space of three seconds, the process in question will be stopped. This mode also makes it easier to retrieve data that the ransomware encrypts, by enabling:
- the identification of files modified by the ransomware,
- the restoration of the identified files, based on Windows shadow copies.
| Rule set type | Protection |
| Log level | Alert by default |
| Generate a context | Always |
Parent PID Spoofing
This protection mode prevents hackers from starting programs that they would declare as children of arbitrarily chosen existing processes with the purpose of concealing malicious processes from security analysts.
| Rule set type | Protection |
| Log level | Critical by default |
| Generate a context | Up to user (Yes by default) |